Go to Home
Web3 security pattern.
Blog
Web3 security pattern.
Compliance & Security: Nov 2025 Changes
Summary of key regulatory changes in Nov 2025 affecting crypto, fintech, and security teams, including ISO 27001, DORA, and NYDFS updates.

Compliance & Security: Nov 2025 Changes

Paul
November 27, 2025
Guides

Regulators tightened expectations across security, disclosure, and operational resilience. Here is what changed, why it matters for crypto and fintech teams, and how to respond with an operating model built around Managed Detection & Response.

The quick view

  • ISO 27001. 2013 certificates expired on October 31, 2025. The 2022 revision is now the baseline.
  • PCI DSS v4.0. All future-dated requirements went live March 31, 2025.
  • EU DORA. Applies to financial entities and critical ICT providers as of January 17, 2025.
  • NIS2. Broader scope, uneven national transposition, real penalties.
  • NYDFS Part 500. Final Second Amendment controls effective November 1, 2025.
  • CIRCIA, United States. Final rule pending. Expect 72 hour incident and 24 hour ransomware reporting once effective.
  • SEC cyber disclosures. Four business days to disclose material incidents, annual program detail required.
  • EU AI Act. Obligations phase in from 2025 to 2027.
  • EU AMLA. Authority operating, supervision ramps over the next years.
  • MiCA and the EU travel rule. CASP authorization and transfer data rules active, with some transitions into 2026.

What changed, why it matters, what to do

ISO/IEC 27001:2022

Why it matters. Expired 2013 certificates will fail vendor diligence.

Do now. Re-scope the ISMS to match cloud reality. Close gaps in inventory, logging, secrets, and SaaS governance. Assign control owners in engineering.

PCI DSS v4.0

Why it matters. Acquirers and brands will treat gaps as non-compliance.

Do now. Enforce phishing-resistant MFA for admin and remote access. Prove continuous scope management. If using the customized approach, keep test evidence that risk is equal or lower.

EU DORA

Why it matters. Selling into EU financials now requires DORA alignment.

Do now. Map services to incident classes and reporting clocks. Build a register of critical dependencies and exit plans. Schedule resilience testing.

NIS2

Why it matters. Cross-border projects face different supervisors, similar outcomes.

Do now. Determine entity class by country. Standardize to the strictest bar. Align incident thresholds and notification flows per jurisdiction.

NYDFS Part 500

Why it matters. Licensed crypto and fintech firms in New York must prove stronger MFA, privileged-access limits, and full asset inventories.

Do now. Complete hardware, software, cloud, and SaaS inventories. Move to phishing-resistant MFA. Run named-executive tabletops.

CIRCIA, United States

Why it matters. Critical-infrastructure partners will adopt 72 and 24 hour reporting patterns.

Do now. Pre-build evidence pipelines and a disclosure kit with legal, communications, and investor relations.

SEC cybersecurity disclosures

Why it matters. Materiality, board oversight, and incident playbooks are securities issues.

Do now. Stand up a repeatable materiality analysis. Keep incident-ready summaries. Record board briefings and risk decisions.

EU AI Act

Why it matters. AI in fraud, scoring, or moderation triggers controls before 2027.

Do now. Classify systems, document data provenance, implement human oversight, and log robustness evaluations.

EU AMLA

Why it matters. Expect more consistent AML supervision and sharper expectations for crypto.

Do now. Strengthen monitoring, sanctions screening, and enhanced due diligence. Prepare for thematic reviews.

MiCA and the EU travel rule

Why it matters. Wallet screening, metadata handling, and retention affect user experience and throughput.

Do now. Validate transfer-data handling. Keep personal data off-chain. Document custody and non-custody responsibilities.

Regulatory timeline, 2024 to 2027

  • December 30, 2024. MiCA CASP authorization and the EU travel rule apply in the EU.
  • January 17, 2025. DORA takes effect for financial entities and critical ICT providers.
  • March 31, 2025. PCI DSS v4.0 future-dated controls become mandatory.
  • May to October 2025. NIS2 transposition pressure on member states, uneven rollout.
  • November 1, 2025. NYDFS Part 500 Second Amendment, final wave effective.
  • CIRCIA final rule expected, reporting clocks begin once effective.
  • 2025 to 2027. EU AI Act obligations phase in, with high-risk requirements landing before 2027.

One operating model: Managed Detection & Response, tuned for Web3

Running separate programs for each rule creates gaps. A single operating model closes them. Anchor on Managed Detection & Response that merges on-chain and off-chain telemetry, bakes in reporting clocks, and maintains audit-ready evidence.

Inputs. On-chain monitors and mempool signals, application and infrastructure logs, CI and deployment events, identity and access data, third-party status and SLAs.

Core. Unified telemetry, correlation and detection rules, triage runbooks, a materiality desk with legal and communications, escalation timers aligned to SEC, DORA, NIS2, and CIRCIA.

Outputs. Containment and recovery actions, disclosure packs, a complete incident timeline.

What good looks like: Clear owners for every critical asset, phishing-resistant MFA on all admin and deploy paths, one incident channel and timeline, severity filters tied to reporting clocks, after-action reviews that feed back into tests and runbooks.

How Cantina helps

  • Smart contract audits. Managed teams for deep, high-signal audits when you need assurance before mainnet, upgrades, or integrations .
  • Bug Bounties. High-signal programs with strong triage to cut noise and focus engineers on real issues .
  • Managed Detection and Response. Access specialist guilds, including Spearbit for white-glove reviews and partners for OPSEC, pen testing, and fuzzing. Incident response support is part of our combined offering .
  • Cantina Code. Purpose-built platform to run security engagements, communicate, triage findings, and keep evidence organized for audits and disclosures .
  • Web3SOC: Complete the self-assessment or work with Cantina to understand your current standing - and what’s needed to earn institutional trust.

Questions or want this tailored to your stack? Contact us, we’re available 24/7.

What to do this quarter

  1. Pick your reference stack. Use ISO 27001:2022 as the backbone, map DORA, NIS2, NYDFS 500, and SEC to it.
  2. Harden identity and inventory. Phishing-resistant MFA for admins, no legacy access, live inventories across hardware, software, cloud, and secrets.
  3. Wire your MDR. Centralize telemetry, set alert routes, and define escalation timers that meet 4-day SEC and EU notification clocks.
  4. Tighten third-party risk. Maintain a register of critical vendors, attestations, SLAs, and exit plans.
  5. Prove testing depth. Pair a managed audit with fuzzing and a time-boxed competition, then run a bounty for continuous coverage.

FAQ

No items found. This section will be hidden on the published page.